You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a security-conscious dev In order to prevent unauthorized access to features via cookie tampering I want to encrypt the feature flag cookie
We should add an option to encrypt the rack-flags cookie using a symmetric key which is only known by the server, similar to how general cookie encryption is done in Rails (might be worth checking to see if there's a standard cookie encryption middleware we can use).
We should require the user to provide that symmetric key, and not have a known default (false sense of security).
We should make it obvious that not providing an encryption key will be bad. For example, make it so that you turn this feature off by calling allow_insecure_flag_transport or something.
The text was updated successfully, but these errors were encountered:
As a security-conscious dev
In order to prevent unauthorized access to features via cookie tampering
I want to encrypt the feature flag cookie
We should add an option to encrypt the rack-flags cookie using a symmetric key which is only known by the server, similar to how general cookie encryption is done in Rails (might be worth checking to see if there's a standard cookie encryption middleware we can use).
We should require the user to provide that symmetric key, and not have a known default (false sense of security).
We should make it obvious that not providing an encryption key will be bad. For example, make it so that you turn this feature off by calling allow_insecure_flag_transport or something.
The text was updated successfully, but these errors were encountered: